On 10/30/18 8:31 AM, Frank Thommen wrote: > I am still puzzled that it is possible to circumvent firewalld so > easily. Basically it means, that firewalld is not to be trusted as > soon as containers with port forwarding are running on a system. It's hard to see this as a security or trust problem. The root user can modify the firewall, which is provided by the kernel. firewalld is just a front-end. Adding rules to the kernel's firewall is not "circumventing" the management front-end. You do have to bear in mind that the firewall-cmd output reflects the *configuration* and not the *state*. When docker adds rules, it modifies the state, but not the configuration.